8/1/17

1

Security&PrivacyinContent-CentricNetworking

(CCN)

§  Security of Embedded Devices (ES/CPS/IoT) §  Privacy-Agile Cryptographic Techniques

§  Cloud/DB apps §  Genomic S&P §  Input size-hiding

§  Privacy in Social Networks §  Usable Security §  Biometrics + De-authentication + Attacks §  S&P in ICN/CCN/NDN

For more info see: sprout.ics.uci.edu

8/1/17

2

OUTLINE•  Internet•  CCNOverview•  CCNSecurity&Privacy•  AnonymousContentRetrieval•  CachePrivacy•  DenialofService•  Network-LayerTrust•  OtherTopics?

–  AccessControl,AccounIng,FragmentaIon,NACKs

NEEDTOKNOW(forthistalk)

•  Basicnetworking&Internetconcepts

•  Networksecurityprinciples– Protocols

•  Basicknowledgeofappliedcryptography– BasiccryptographicprimiIves

8/1/17

3

5

•  Tremendous,unexpected,unprecentedandlong-lasIngglobalsuccessstory

•  35-year-olddesign:architecturedefinedinRFC791/793(1981andearlier)

•  Enablesanyhosttotalktoanyotherhosto  Namesboxesandinterfaceso  Supportsend-to-endconversaIonso  ProvidesunreliablepacketdeliveryviaIPdatagramso  CompensatesforsimplicityofIPviacomplexityof

TCP

6

•  Helpedfacilitatetoday’srichglobal-scalecommunicaIon

•  But,wasnotdesignedforit

•  FundamentalcommunicaIonmodel:point-to-pointconversaIonbetweentwohosts(IPinterfaces)

•  ThecentralabstracIonisahostidenIfiercorrespondingtoanIPaddress

8/1/17

4

7

•  Last20years–profoundchangeinnatureofInternetcommunicaIono  Fromemail/`p/telnetto…o  Fromafewthousandsofusersto…o  FromstaIcwirednodes(computers,terminals)to…o  Fromfriendly,clubby,trusIngambience,to…

•  Massiveamountsofdataconstantlyproducedandconsumed•  Web(esp.mediasharingandsocialnetworking),•  Audio-/video-conferencing

•  Notethat:•  EmailandremoteloginaresIllaround•  Messagingtoo•  Plus,there’sIoT…

KeyAspectsofInternetChange

• MulImediacontent• Mobility/Wireless-ness

àDelaysandDisrupIons• DistribuIonScale• Cloud• IoT?

8/1/17

5

9

•  S&PinthecurrentInternetarecertainlyNOTasuccessstory

•  Retrofided,incremental,bandaid-stylesoluIons,e.g.:•  SSH,•  SSL/TLS(HTTPS),•  IPSec+IKE+ISAKMP,•  DNSSec,•  sBGP,•  AAA,etc.

•  TargetedNSF-fundedprogram,2-IeredcompeIIon•  Majorgoals:

•  Designcomprehensivenext-generaIonInternetarchitectures•  Accommodatecurrentandemergingcomm.paradigms•  Securityandprivacyfromtheoutset(bydesign)

•  Startedin2010•  PhaseI:2010-2014•  PhaseII:2014-2018

•  Projects:•  Nebula(PhaseI)•  MobilityFirst(PhasesIanII)•  XIA:eXpressiveInternetArchitecture(PhasesIandII)•  NDN:Named-DataNetworking(PhasesIandII)•  ChoiceNet(startedin2012,notstrictlyspeakingFIA)

8/1/17

6

CaveatAuditor!

•  IwaspartoftheNDNFIAproject2010-2014•  Work(ed)onS&PinNDN(andCCN)•  WasfundedbytheNSF(‘Ill09/15)•  Thus…takeeverythingwithagrainofsalt,drawyourownconclusions,andexplorefurther

Also:•  IfocusonCCN=NDNandCCNx•  ThereareotherICNefforts,e.g.,formobilenets

CCN=NDN+CCNx

8/1/17

7

Pointers

•  Nameddatanetworkingproject(NDN),hdp://named-data.org•  Content-centricnetworking(CCNx)project,hdp://www.ccnx.org•  Intro:“Networkingnamedcontent”,ACMCoNEXT,2009

•  IEEEInfocomNOMENWorkshop2012,2013•  ACMICNWorkshop/Conference:2012-2013,2014-2017•  VeryacPveIRTFICNResearchGroup(ICNRG)

hQps://trac.ieU.org/trac/irU/wiki/icnrghQps://irU.org/icnrg

•  DagstuhlSeminarson:–  GeneralICN(3total)–  ICNSecurity&Privacy(2total),latest:hdp://www.dagstuhl.de/en/program/calendar/semhp/?semnr=16251

14

•  Foralmost150years,communicaIonmeant:AwireconnecPngtwodevices

•  TheWebforeverchangedthat:WhatmaQersiscontent,notthehostitcamefrom

8/1/17

8

15

Today’sInternet:acommunicaIonnetwork,usedasadistribuIonnetwork

Communication Distribution

Naming Endpoints Content

Memory Invisible, LimitedExplicit;

Storage = Wires

SecurityCommunication

processContent

16

8/1/17

9

17

18

Ca.2009 Ca.2013 Ca.mid-2016

NDN/CCNxsplit

CCNbirthatPARC

PARCsellsCCNxtoCISCOConvergenceeffortstarts

CCN/NDN NDN(NSF/UCLA)

CCNx(PARC)

8/1/17

10

19

20

ISP

ISP

8/1/17

11

21

ISP

ISP

22

•  NameØ  Human-readable,similartoURIØ  Canbeconsideredasanetwork-layerURL

•  Roles:Ø  Consumer

Ø  ProducerØ  Router

•  Objects:Ø  ContentØ  Interest

8/1/17

12

23

• Host•  Interfaceaddress(IPaddress)• Datagram/Packet

•  Router

24

Implicit Hash!

8/1/17

13

25

Consumer Producer Interest Interest Interest Interest

• Carries content name • No source/destination

address

• Named data (content) • Routed using state

26

Interest Incoming IF

/ccn/uci/content IF0

Interest: /ccn/uci/content Interest: /ccn/uci/content

IF0

IF1

IF2

IF3

/ccn/uci/content

Interest: /ndn/uci/content Every router has a: •  PIT: Pending Interest Table •  CS: Content Store (Cache) •  FIB: Forwarding Information Base

, IF3

8/1/17

14

27

•  MainoperaIonisprefix-basedlongestmatchlookup,likeIP

•  InterestsareforwardedaccordingtorouIngtable(FIB),butmulIpointforwarding,broadcast,localfloodingareallokay

•  Datafollowsinterestpathinreverse

(Cache)

(PIT)

28

•  RouIngbasedonnameprefixes+reachability,likeIP•  CanreuseIProuIngprotocols,e.g.,IS-IS,BGP

8/1/17

15

29

Security

•  Now: secure the pipe •  Data is authentic because it emanates from the right box (which is an

end-point of the right secure pipe)

•  CCN: Integrity and trust are properties of content •  Should be inferred from content itself

8/1/17

16

Securing Content: how?

Current SSL/TLS 3-way handshake model is not a good fit for CCN: –  Secures channel, not data –  Authentic content can come from anywhere –  But, access control (and accounting) is difficult –  After content retrieved from origin, it’s served by the

network (from caches) IPSec is also not a good fit for CCN…

Authenticity of Content

Content requested by a consumer can be retrieved from anywhere

•  How can it be trusted? •  How do we know who produced it? •  How do we know it is the correct content?

8/1/17

17

Securing Content

•  Integrity: is data intact and complete?

•  Origin: who produced it?

•  Correctness: is this (content) what consumer wants (based on interest)?

•  Bonus feature: routers can choose to verify content (with caveats)

CCN Content object:

Private Content (aka Content Access Control)

Access to content can be restricted, e.g.:

•  Encrypt once with a symmetric key •  Distribute this key to authorized consumers using

“standard” techniques (pigeons?) •  Access control on key rather than content

•  This can make long-term secrecy problematic

Time permitting, we might come back to this topic…

8/1/17

18

Trust Model?

•  All content is signed •  Interests are not… •  CCN is PKI-agnostic •  Application-specific vs. network-layer trust

CCN: Privacy Benefits

•  Interest has no source address/identifier •  Content can be routed without knowing

consumer identity and/or location •  One observed interest may correspond to

multiple consumers at various locations •  Router caches reduce effectiveness of

observers close to producers

8/1/17

19

CCN: Privacy Challenges •  Name privacy in interests

/CCN/us/wikipedia/STDs/herpes

•  Name privacy in content

/CCN/zimbabwe/piratebay/XSOQW(#E@UED$%.mp3

•  Signature privacy

•  Leaks content publisher identity

•  Classical privacy vs. security conflict

•  Cache privacy

•  Detectable hits/misses

CCN: Security Benefits

•  Simplicity •  All content is signed •  No need for security handshakes in real time •  A producer’s public key is a type of content

– Consumer first fetches producer’s PKC, then requests content (signed by that producer)

8/1/17

20

39

•  Aproducer’spublickeyisatypeofcontent,i.e.,apublickeycerIficate(PKC)•  Reminder:aconsumerdoesn’tneedakey

•  Containsauthorizednameprefixesunderwhichcontentcanbepublished

•  Bindsthemtoapublickey •  For example:

/ccn/cnn/usa/web/key /ccn/verisign/europe/key /ccn/us/ca/edu/uc/uci/cs/gene.tsudik/key

39

CCN: Security Challenges

•  State in routers is both a blessing and a curse •  Such state is a resource that can be abused •  DoS attacks:

–  Interest Flooding – Content Poisoning: proactive & reactive

•  Covert Channels & Geo-location •  Content Access Control •  Trust management at the network layer

8/1/17

21

CCN:quickrecapPRODUCER•  Announcesnameprefixes•  Namesandsignscontentpackets•  Injectscontentintothenetworkbyansweringinterests

CONSUMER•  Generatesinterestpacketsreferringtocontentbyname•  Receivescontent,verifiessignature,decryptsifnecessaryROUTER•  Routesinterestsbasedon(hierarchical)nameprefixes–inherentlymulIcast•  RememberswhereInterestscamefrom(PIT),returnscontentalongsamepath•  OpIonallycachescontent(inCS)•  OpIonallyverifiescontentsignatures

(1)beforeforwarding,(2)beforecaching,or(3)wheneverithasIme 41

Some Recent & Ongoing Work on CCN Security/Privacy

42

•  Anonymouscontentretrieval:ANDaNA/AC3N•  DoS/DDoS:

•  Contentpoisoningcountermeasures•  InterestfloodingmiIgaIon

•  PrivacyofRouter-SideCaching•  Covertchannels&Geo-locaIon•  SecurecontentfragmentaIon•  NDNsecurityinnon-distribuIveserngs(e.g.,sensing,actuaIon)•  Network-LayerTrustManagement•  SecureContentDeleIon•  SecureAccounIng•  DataPrivacy•  NetworkNames•  PIT-lessCCNDesign•  SecureContentDeleIon•  ContentAccessControl•  NACKsandtheirSecurityImplicaIons

8/1/17

22

Name Privacy and Anonymous Content

Retrieval in CCN

Why Name Privacy? CCN names are expressive and meaningful, but…•  Leak information about requested content•  Easy to filter/censor content, e.g., block everything like:

/CCN/cnn/world-news/russia

However:

•  CCN names are opaque to the network

•  Routers only need to know name component boundaries – “/”

•  Names can carry binary data

8/1/17

23

ANDaNA: Anonymous Named Data

Networking Application

•  Observers close to consumer should not learn what content is being requested

•  Target: low-to-medium-volume interactive communication

•  Producers might not be aware of ANDaNA

[DGTU-NDSS2012]

/OR1 /OR2

?/nytimes.com/today

ANDaNA

8/1/17

24

/OR1 /OR2

ANDaNA

/OR1 /OR2

?/nytimes.com/today

ANDaNA

8/1/17

25

/OR1 /OR2

?/nytimes.com/today

ANDaNA

/OR1 /OR2

?/nytimes.com/today

ANDaNA

8/1/17

26

/OR1 /OR2

ANDaNA

/OR1 /OR2

ANDaNA

8/1/17

27

/OR1 /OR2

ANDaNA

ANDaNA

Privacy with 2 hops comparable to Tor with 3 –  Why? Lack of source address in interests –  Anonymizing routers do not learn origin of traffic (only the

previous hop) –  Lower overhead

8/1/17

28

Cache Privacy in

CCN

CCN Cache Privacy

•  Router content caching is good for performance

• Better bandwidth utilization • Lower latency

•  But… bad for privacy – Timing attacks – Cache harvesting attacks

8/1/17

29

•  Who could the adversary be?

•  Another host or router

•  A malicious application on victim’s device

•  Where could the adversary be?

•  Near consumer, e.g., on the same LAN/WLAN segment

•  Near producer (opposite sides of first hop router)

•  In both places at once

Cache Privacy

Scenario 1: Victim=Consumer

Consumer Producer Interest Interest Interest Interest

Adversary

/CCN/org/wikileaks/2012/july/31

8/1/17

30

Scenario 2: Victim=Producer

Consumer Producer Interest Interest Interest Interest

Adversary

/CCN/org/wikileaks/2012/july/31

Scenario 3: Victims=Both

Alice Bob

Adversary Adversary Are Alice and Bob talking?

Recall: consumers must verify content signatures Therefore, Alice & Bob must first fetch each other’s PK

8/1/17

31

Countermeasures

•  Do not cache content at all •  Bad idea…

•  Cache and delay •  Which content? Who decides? •  How long to delay?

Countermeasures •  Two types of traffic:!

•  Private!•  Non-private!

•  Who should dictate privacy?!•  consumer, producer, router?!

•  Two communication types:!•  Low-latency (interactive) traffic!

•  Use unpredictable content names!•  Content distribution traffic; see paper for details (IEEE ICDCS’13)!

•  Random delay!•  Content-specific delay!

•  Privacy bit in header of interests and/or content?!

8/1/17

32

DoS/DDoS in CCN

DoD/DDoS Resistance?

Some current DoS+DDoS attacks become irrelevant: • Content caching mitigates targeted DoS

• Content is not forwarded without prior PIT state set up by interest(s)

• Multiple interests for the same content are collapsed

• Only one copy of content per “interested” interface is returned

• Consumer can’t be “hosed” with unsolicited content >>> THIS IS AN IMPORTANT ADVANTAGE OF CCN!!!

8/1/17

33

DoS/DDoS •  Attacks on infrastructure

•  Loop-holing/black-holing

•  Interest flooding

•  Router resource exhaustion

•  Attacks on consumers & router caches

•  Content flooding

•  Cache pollution

•  Content/cache poisoning

Interest Flooding

Adversarygeneratesnumerousnon-sensicalinterests,e.g.:

/CCN/us/ca/uc/uci/cs/gene.tsudik/random-string

•  Guaranteedtoreachtheproducer

•  Consumespreciousrouterresources(PITentries)

•  IFadackaffectsbothroutersandproducers

AnylegiPmateproducerprefix

8/1/17

34

Interest Flooding PotenIalcountermeasures:

1. UnilateralratelimiIng/throdling

•  ResourceallocaIondeterminedbyrouterstate

2. CollaboraIveratelimiIng/throdling

•  RouterspushbackadacksbyinteracIngwithneighbors

Openproblem:sofar,nodeterminisIccountermeasure!

Content Poisoning

1. Adversaryonthepathtoproducer(e.g.,arouter)– Interceptsgenuineinterest,replieswithfakecontent

– Contentsedlesinrouters

2. AdversaryNOTonthepathtoproducer– AnIcipatesdemandforcontent

– Issuesowninterest(s),replieswithfakecontent

– Contentsedlesinrouters

8/1/17

35

Content Poisoning PotenIalcountermeasures:

•  SignatureverificaIoninrouters?

•  Consumerfeedback?

•  ASegressrouterverificaIononly?

BTW:whatis“fake”content?

•  Badsignature(failsverificaIon),

•  Badsigningkey

70

•  CCNmainobjecIveiscontentdistribuIon•  Facilitatedbycaches+PITsinrouters

•  Consumermustverifycontentsignatures•  But…howtoflushfakecontentfromroutercaches?•  CCNallowsexclusionfiltersininterests(byhash)

o  Canbeused,withverylimitedefficacyo  ImmediateflushèDoSo  Verifyingsignaturesèexpensive+anotherDoStype

•  ConsumerauthenIcaIoncontradictsinterestopacity

8/1/17

36

71

•  Aproducer’spublickeyisatypeofcontent,i.e.,apublickeycerIficate(PKC)•  Reminder:aconsumerdoesn’tneedakey

•  Containsauthorizednameprefixesunderwhichcontentcanbepublished

•  Bindsthemtoapublickey •  For example:

/ccn/cnn/usa/web/key /ccn/verisign/europe/key /ccn/us/ca/edu/uc/uci/cs/gene.tsudik/key

71

72

Tworeasons:•  Ambiguousinterests•  Nounifiedtrustmodel:applicaIonsarediverse&dynamic

AXIOM:Network-layertrustandcontentpoisoningareinseparableRoutersshoulddominimalwork:

•  Notverify/fetchpublickeys(exceptforrouIng)•  Dobounded,fixedamountofworkpercontent

•  e.g.,verifyatmostonesignature

8/1/17

37

73

IKB:Aninterestmustreflectthetrustcontextoftheconsumer’sapplicaPon,thusmakingit(easily)enforceableatthenetworklayer

IKB(CCN):Aninterestmustreflectthepublickeyofthecontentproducer

74

•  MakePublisherPublicKeyDigest(PPKD)fieldmandatoryineveryinterest

•  Consumersobtainandvalidatekeys,using•  Pre-installedrootkeys•  KeyNameService(KNS)•  Globalsearch-basedservice

IKB(CCN):Aninterestmustreflectthepublickeyofthecontentproducer

8/1/17

38

75

•  Producer:o  Includespublickeyineachcontent’s

KeyLocator field

•  Router:o  MatchesKeyLocatordigesttoPPKDinPITo  VerifiessignatureusingKeyLocator o  Nofetching,storing,parsingofpublickeysàNote:PITentrycollapsingtakesPPKDintoaccount

76

CLAIM:AdherencetoIKBèsecurityagainstcontentpoisoning

•  Assume:o  AllnodesabidebyIKBo  Consumernotmaliciouso  Consumer-facingrouters–notmaliciouso  Consumerßàfirst-hoprouterlinknotcompromised

8/1/17

39

77

•  ConsumersendsinterestcontainingPPKD•  Routerensuresthat:

o  ValidcontentsignatureusingkeyinKeyLocatoro  DigestofKeyLocatormatchesPPKDinPIT

•  Consumer-facingrouternotmaliciousèonlypossibilityofpoisonedcontentisifahashcollisionoccurs

Whatifupstreammaliciousrouterssendfakecontent:•  Consumer-facingrouterdetectsanddropsit

78

•  Includekeysininterest:ü  Savestoragex  Requireschangestointerest&contentstructure

•  OnlyASborderroutersimplementIKB

ü  Bederperformancex  PossibleadackswithinAS

But…detectablebyborderroutersNOTE:eachroutermustatleastdoaPPKDmatch

8/1/17

40

79

•  Self-CerIfyingName(SCN)o  Hashofcontent(includingname)aslastcomponentof

name

•  BenignconsumersuseSCNènetworkdelivers“valid”content

•  NosignatureverificaIonbyrouters:o  Onlyonehashre-computaIon

•  Howtogetcontenthashinthefirstplace?

80

Acatalogormanifest:o  AnauthenIcated(signed)datastructureo  ContainsoneormoreSCN-s,nesIngisarbitraryo  AnyauthenIcateddatastructure

o  Hashchains,MHTs,skip-lists,etc.o  StructureisapplicaIon-specifico  UseIKBtobootstrap(i.e.,fetchacatalog)

•  SCNobtainedfromacatalog:ü  Noaddl.signatureverificaIonbyrouters/consumersü  Noneedforproducerstosignindividualcontent

8/1/17

41

81

82

CCNManifestSpecificaIon(InternetDra`)

8/1/17

42

83

1.  ContentDistribuIon,e.g.:

o  Videostreaming:o  OnebigcatalogcontainingSCNsofallsegmentso  Or,hashchains(withdata),orMHT,etc.

o  Foreexample,Webbrowsing:-  HTMLfileasacatalog-  ContainsSCNofsub-pages/components-  WorksonlyforstaIccontent

84

2.  InteracIveTraffic

o  Contentgeneratedondemand(real-Ime),e.g.,audio/videoconferencing,

o  Catalogsarenotviable

o  ContentmustberequestedbyserngPPKDininterest

8/1/17

43

85

•  ConsumerobtainshashHofcontentCfromP’scatalog•  ConsumergeneratesinterestforC,referringtoH•  But,CisnolongeravailableatP•  Preceivesinterestand???

•  Justdropsit:badforConsumeror:•  GeneratesaNACK:routerswilldropitsinceaNACK’s

hashdoesn’tmatchHBoQom-line:needtoaugmentiKBandinterestformattoallowforSCN-carryingintereststosIllrefertoP’spublickeyThiscanbeusedasafallbackifSCNenforcementfails.

Some Recent & Ongoing Work in CCN Security/Privacy

86

•  Anonymouscontentretrieval:ANDaNA/AC3N•  DoS/DDoS:

•  Contentpoisoningcountermeasures•  InterestfloodingmiIgaIon

•  PrivacyofRouter-SideCaching•  Covertchannels&Geo-locaIon•  SecurecontentfragmentaIon•  NDNsecurityinnon-distribuIveserngs(e.g.,sensing,actuaIon)•  Network-LayerTrustManagement•  SecureContentDeleIon•  SecureAccounIng•  DataPrivacy•  NetworkNames•  PIT-lessCCNDesign•  SecureContentDeleIon•  ContentAccessControl•  NACKsandtheirSecurityImplicaIons

8/1/17

44

87